Full Disclosure mailing list archives
Re: Command Injection Vulnerability in stat.qwest.net - OFFTOPIC
From: "Kurt Seifried" <listuser () seifried org>
Date: Fri, 22 Aug 2003 00:22:47 -0600
Why are you telling us this? How does it affect anyone, but qwest, who you notified, and who fixed it. Do we now send out a security advisory every time we notify sometime to disable a vulnerable service (sir, you have telnet enabled). This is getting ridiculous. Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ ----- Original Message ----- From: "Dan Daggett" <csiwebmaster () csi edu> To: "Full-Disclosure" <full-disclosure () lists netsys com> Sent: Thursday, August 21, 2003 5:09 PM Subject: [Full-disclosure] Command Injection Vulnerability in stat.qwest.net
[Vulnerable Site] http://stat.qwest.net [Site Purpose] Site can be used by network administrators and engineers to test network connectivity, view Qwest's backbones, and test latency across Qwest's network. [Vulnerable Page] http://stat.qwest.net/cgi-bin/jlg-new.pl This page can be accessed through http://stat.qwest.net/looking_glass.html [Page Purpose] Run ping and traceroute from various routers/computers in many locations across Qwest's network, including North America and Asia. [Command Injection] While running a ping on a site that wasn't up, the error message made me realize that the perl script was shelling out a command to a remote system and tacking my input into it. For example in the dropdown box pick any router and select ping or traceroute. In this case I selected ping. Type in a nonexistent site such as nositehere.nope. Here is what was returned in the page. /usr/sbin/ping: unknown host nositehere.nope My next thought was whether or not proper checking had been done to avoid escaping the command and running my own code. This time I used a semicolon to add my own commands on to the end: nositehere.nope;id;uname -a; I put the ending semicolon on in case there was additional parameters added to the ping command. Here is the result. Pinging nositehere.nope;id; from atl-engr-01.inet.qwest.net uid=60001(nobody) gid=60001(nobody) [Problem Fix] The vulnerability here lies in the fact that unfiltered user input is passed by the Perl script directly to the command line. Something as simple as verifying that only certain characters will be passed to the command prompt would prevent this. For example this would drop any characters that were not alphanumberic, dash, underscore, and a period. $user_input =~ s/[^A-Za-z0-9_-.]//g; [Vendor Contact] Sent email to security () qwest net on August 19th. Problem fixed August 21, 2003 [Contact Info] Report can be viewed online http://www.socialgeeks.com/advisories/qwest_aug_21_2003.php Submitted to list on August 21, 2003 by Dan Daggett _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Command Injection Vulnerability in stat.qwest.net Dan Daggett (Aug 21)
- Re: Command Injection Vulnerability in stat.qwest.net - OFFTOPIC Kurt Seifried (Aug 22)
- Re: Command Injection Vulnerability in stat.qwest.net - OFFTOPIC Blue Boar (Aug 22)
- Re: Command Injection Vulnerability in stat.qwest.net - OFFTOPIC Kurt Seifried (Aug 22)